Reporting a data security breach/incident
A data security breach involves the loss of, or unauthorised access to, personal or confidential data or intellectual property. This includes both information in hard copy and electronic information. Breaches include:
- Theft or loss of data eg sensitive papers or a laptop containing intellectual property being lost
- Accidental disclosure eg personal data being emailed to the wrong person or published online
- Malicious access to data eg student personal data being given out to an impostor over the telephone or hacking
All information security incidents (including those involving paper records) must be reported promptly so the risk to individuals, the University and others can be contained and prevented where possible.
Do not contact via email as there can be a delay in responding and the associated risks can significantly increase. By reporting quickly, steps can be taken to investigate, secure the information and prevent incidents from becoming a breach.
Theft and break-ins
Theft of equipment and physical break-ins should also be reported to the University Estate Patrol telephone: 01392 723999; report an incident.
Please see our Data Breach Policy for more information regarding your responsibilities.
An information security incident is where there is the risk of a breach; by reporting these quickly, steps can be taken to investigate, secure the information and prevent the incident becoming a breach.
An incident is like a Health and Safety near-miss; by reporting it we can not only prevent a breach occurring, but can also learn where our risks are and identify controls to reduce the risk of them reoccurring.
An information security breach is where the incident has resulted in any loss of, or unauthorised access to University data, normally involving University personal or confidential information, including intellectual property (IP).
Any information security breach that involves personal information is a breach of the Data Protection Act 1998. The University needs to investigate, and when appropriate report these to the Information Commissioners Office who can issue enforcement action, including fines.
Staff must report any perceived breaches so they can be fully investigated. Ignoring them allows the information to go unchecked and the risk to individuals and the University to increase, therefore staff are more likely to receive a disciplinary for not reporting a security incident or breach.
If a data security breach has occurred you should contact Exeter IT:
|Streatham Campus, Exeter||0300 555 0444||Student Information Desk, Forum|
|Cornwall Campus, Penryn||0300 555 0444||Contact SID at Streatham Campus|
|Knowledge Spa, Truro||0300 555 0444||Contact SID at Streatham Campus|
If you are unsure whether a breach has occurred contact Exeter IT for advice. Minor incidents that require no action should be reported using the Exeter IT Self Service Portal.
- The loss or theft of data in any format (eg papers taken from car, post intercepted, unauthorised download)
- Loss or theft or equipment used to store University information (eg laptop, smartphone, USB stick)
- Inappropriate access controls allowing unauthorised access
- Compromised IT user account (eg spoofing, hacking, shared password)
- Blagging where information is obtained by deception (a person claims to be someone else over the phone)
- Accidental or unauthorised disclosure of University information (eg email or letter to wrong recipient or incorrect system permissions/filter failure)
- Corruption or unauthorised modification of vital records (eg alteration of master records)
- Computer systems or equipment compromise (eg virus, malware, denial of service attack)
- Break-in at a location holding sensitive information or containing critical information processing equipment such as servers.
Why do I need to report by phone?
All data breaches and incidents must be reported by calling ExeterIT via SID. This ensures an immediate response and steps can be taken to secure the information and limit the risks to individuals and the University. Emails to SID can take up to 5 days to be dealt with, by this time the information has been left unchecked and what was only an incident has now become a much more significant breach!
I clicked a link and nothing happened, do I need to report?
Yes, if you click a link in a phishing email you must report even if nothing appears to happen, IT can then check to ensure your computer hasn’t been infected in the background.
What impact will the GDPR (new data protection law) have on breaches?
Under the new law it will be mandatory to report breaches and we will need to ensure we have reported within 72 hours of identifying the breach. We can get fined for data breaches, we can also get fined for not reporting a data breach.
How much are data breach fines?
Under the current Data Protection Act fines are up to £500,000. Under the GDPR this increases up to 20 million euros and we can be fined for not reporting.
The size of fine is relevant to the risk, if we quickly report, investigate and manage the data breach we can reduce the risks to individuals and this can reduce the amount the University is fined.
How do I report the loss of hard-copy files?
The loss of any data, regardless of its medium, can constitute a data breach. Even a single piece of paper can contain information whose release could be harmful. Losses of hard-copy data need to be reported in the same way, by calling SID.
Do you want to ask a different question?
These pages are being continuously developed, please email any questions to firstname.lastname@example.org and we will respond to you directly as well as develop these FAQs.